Red Hat Storage
Recent Red Hat Storage Security Advisories
Advisory | Title | Published |
---|---|---|
RHSA-2023:5693 | (RHSA-2023:5693) Moderate: Red Hat Ceph Storage 6.1 security, enhancement, and bug fix update | October 12, 2023 |
RHSA-2023:3642 | (RHSA-2023:3642) Important: Red Hat Ceph Storage 6.1 Container security and bug fix update | June 15, 2023 |
RHSA-2023:3623 | (RHSA-2023:3623) Moderate: Red Hat Ceph Storage 6.1 security and bug fix update | June 15, 2023 |
RHSA-2023:1486 | (RHSA-2023:1486) Important: Red Hat Gluster Storage web-admin-build security update | March 28, 2023 |
RHSA-2023:0980 | (RHSA-2023:0980) Important: Red Hat Ceph Storage 5.3 Bug fix and security update | February 28, 2023 |
RHSA-2023:0076 | (RHSA-2023:0076) Moderate: Red Hat Ceph Storage 5.3 security update and Bug Fix | January 11, 2023 |
RHSA-2022:6024 | (RHSA-2022:6024) Moderate: New container image for Red Hat Ceph Storage 5.2 Security update | August 9, 2022 |
RHSA-2022:5997 | (RHSA-2022:5997) Moderate: Red Hat Ceph Storage Security, Bug Fix, and Enhancement Update | August 9, 2022 |
RHSA-2022:1716 | (RHSA-2022:1716) Moderate: Red Hat Ceph Storage 4.3 Security and Bug Fix update | May 5, 2022 |
RHSA-2022:1394 | (RHSA-2022:1394) Important: Red Hat Ceph Storage 3 Security and Bug Fix update | April 19, 2022 |
By the Year
In 2023 there have been 5 vulnerabilities in Red Hat Storage with an average score of 6.8 out of ten. Last year Storage had 4 security vulnerabilities published. That is, 1 more vulnerability have already been reported in 2023 as compared to last year. Interestingly, the average vulnerability score and the number of vulnerabilities for 2023 and last year was the same.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 5 | 6.80 |
2022 | 4 | 6.80 |
2021 | 0 | 0.00 |
2020 | 4 | 5.70 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Storage vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Storage Security Vulnerabilities
A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements
CVE-2023-42669
6.5 - Medium
- November 06, 2023
A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with only one worker in the main RPC task, allowing calls to the "rpcecho" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the "rpcecho" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs in the main RPC task.
A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory
CVE-2023-3961
9.8 - Critical
- November 03, 2023
A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes.
Directory traversal
A vulnerability was discovered in Samba, where the flaw
CVE-2023-4091
6.5 - Medium
- November 03, 2023
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.
Incorrect Default Permissions
A path disclosure vulnerability was found in Samba
CVE-2023-34968
5.3 - Medium
- July 20, 2023
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path.
A vulnerability was found in Samba's SMB2 packet signing mechanism
CVE-2023-3347
5.9 - Medium
- July 20, 2023
A vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to perform attacks, such as a man-in-the-middle attack, by intercepting the network traffic and modifying the SMB2 messages between client and server, affecting the integrity of the data.
A flaw was found in Keystone
CVE-2022-2447
6.6 - Medium
- September 01, 2022
A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected.
Operation on a Resource after Expiration or Release
MaxQueryDuration not honoured in Samba AD DC LDAP
CVE-2021-3670
6.5 - Medium
- August 23, 2022
MaxQueryDuration not honoured in Samba AD DC LDAP
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix
CVE-2022-26148
9.8 - Critical
- March 21, 2022
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
Cleartext Storage of Sensitive Information
All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition
CVE-2021-44141
4.3 - Medium
- February 21, 2022
All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.
insecure temporary file
A flaw was found in the way samba handled file and directory permissions
CVE-2020-14318
4.3 - Medium
- December 03, 2020
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
Incorrect Privilege Assignment
A NULL pointer dereference
CVE-2020-10730
6.5 - Medium
- July 07, 2020
A NULL pointer dereference, or possible use-after-free flaw was found in Samba AD LDAP server in versions before 4.10.17, before 4.11.11 and before 4.12.4. Although some versions of Samba shipped with Red Hat Enterprise Linux do not support Samba in AD mode, the affected code is shipped with the libldb package. This flaw allows an authenticated user to possibly trigger a use-after-free or NULL pointer dereference. The highest threat from this vulnerability is to system availability.
NULL Pointer Dereference
A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules
CVE-2020-10685
5.5 - Medium
- May 11, 2020
A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.
Insufficient Cleanup
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained
CVE-2019-14907
6.5 - Medium
- January 21, 2020
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).
Out-of-bounds Read
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
CVE-2014-0221
- June 05, 2014
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which
CVE-2014-0224
7.4 - High
- June 05, 2014
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Inadequate Encryption Strength
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used
CVE-2014-3470
- June 05, 2014
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
NULL Pointer Dereference
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets
CVE-2014-0160
7.5 - High
- April 07, 2014
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
Out-of-bounds Read
The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which
CVE-2012-0876
- July 03, 2012
The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.
Resource Exhaustion
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 13.0, Thunderbird before 13.0, and SeaMonkey before 2.10
CVE-2012-1938
- June 05, 2012
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 13.0, Thunderbird before 13.0, and SeaMonkey before 2.10 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) methodjit/ImmutableSync.cpp, (2) the JSObject::makeDenseArraySlow function in js/src/jsarray.cpp, and unknown other components.
ImageMagick 6.7.5-7 and earlier
CVE-2012-0247
8.8 - High
- June 05, 2012
ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted offset and count values in the ResolutionUnit tag in the EXIF IFD0 of an image.
Improper Input Validation
The TIFFGetEXIFProperties function in coders/tiff.c in ImageMagick before 6.7.6-3
CVE-2012-1798
6.5 - Medium
- June 05, 2012
The TIFFGetEXIFProperties function in coders/tiff.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted EXIF IFD in a TIFF image.
Out-of-bounds Read
The JPEGWarningHandler function in coders/jpeg.c in ImageMagick before 6.7.6-3
CVE-2012-0260
6.5 - Medium
- June 05, 2012
The JPEGWarningHandler function in coders/jpeg.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (memory consumption) via a JPEG image with a crafted sequence of restart markers.
Resource Exhaustion
ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted image whose IFD contains IOP tags
CVE-2012-0248
5.5 - Medium
- June 05, 2012
ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted image whose IFD contains IOP tags that all reference the beginning of the IDF.
Infinite Loop
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which
CVE-2012-0053
- January 28, 2012
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might
CVE-2012-0031
- January 18, 2012
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Enterprise Linux Eus or by Red Hat? Click the Watch button to subscribe.
